Resolve credential leak via ps while jenkins-cli is used during puppe…

…t runs
voxpupuli · Feb 27, 2020 · 07035e4 · 07035e4
1 parent 5c32ec2
commit 07035e4
Show file tree

Hide file tree

Showing 7 changed files with 59 additions and 16 deletions.
diff --git a/manifests/cli.pp b/manifests/cli.pp
@@ -64,6 +64,15 @@
     ' '
   )
 
+  if !empty($jenkins::cli_password) {
+    $cmd_environment = [
+      "JENKINS_USER_ID=${jenkins::cli_username}",
+      "JENKINS_API_TOKEN=${jenkins::cli_password}",
+    ]
+  } else {
+    $cmd_environment = undef
+  }
+
   # Do a safe restart of Jenkins (only when notified)
   exec { 'safe-restart-jenkins':
     command     => "${cmd} safe-restart && /bin/sleep 10",
@@ -72,6 +81,7 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar],
+    environment => $cmd_environment,
   }
 
   # jenkins::cli::reload should be included only after $::jenkins::cli::cmd is

diff --git a/manifests/cli/exec.pp b/manifests/cli/exec.pp
@@ -28,9 +28,14 @@
   )
 
   if $unless {
-    $environment_run = [ "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}" ]
+    $environment_run = delete_undef_values(
+      flatten([
+        $jenkins::cli::cmd_environment,
+        "HELPER_CMD=eval ${jenkins::cli_helper::helper_cmd}",
+      ])
+    )
   } else {
-    $environment_run = undef
+    $environment_run = $jenkins::cli::cmd_environment
   }
 
   exec { $title:

diff --git a/manifests/cli/reload.pp b/manifests/cli/reload.pp
@@ -17,5 +17,6 @@
     try_sleep   => $cli_try_sleep,
     refreshonly => true,
     require     => File[$jar_file],
+    environment => $jenkins::cli::cmd_environment,
   }
 }
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -401,7 +401,9 @@
     # Username / Password auth (needed for AD and other Auth Realms)
     if $_use_new_cli {
       if !empty($cli_password) {
-        $_cli_auth_arg = "-auth '${cli_username}:${cli_password}'"
+        # username and password passed as environment variables to prevent showing in ps output
+        # so setting cli_auth_arg to empty string
+        $_cli_auth_arg = ''
       } elsif !empty($cli_password_file) {
         $_cli_auth_arg = "-auth '@${cli_password_file}'"
       } else {

diff --git a/manifests/job/absent.pp b/manifests/job/absent.pp
@@ -33,11 +33,12 @@
 
   # Delete the job
   exec { "jenkins delete-job ${jobname}":
-    path      => ['/usr/bin', '/usr/sbin', '/bin'],
-    command   => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
-    logoutput => false,
-    onlyif    => "test -f \"${config_path}\"",
-    require   => Exec['jenkins-cli'],
+    path        => ['/usr/bin', '/usr/sbin', '/bin'],
+    command     => "${jenkins::cli::cmd} delete-job \"${jobname}\"",
+    logoutput   => false,
+    onlyif      => "test -f \"${config_path}\"",
+    require     => Exec['jenkins-cli'],
+    environment => $jenkins::cli::cmd_environment,
   }
 
 }
diff --git a/manifests/job/present.pp b/manifests/job/present.pp
@@ -65,7 +65,7 @@
   $job_dir            = "${jenkins::job_dir}/${jobname}"
   $config_path        = "${job_dir}/config.xml"
 
-  # Bring variables from Class['::jenkins'] into local scope.
+  # Bring variables from Class['jenkins'] into local scope.
   $cli_tries          = $jenkins::cli_tries
   $cli_try_sleep   = $jenkins::cli_try_sleep
 
@@ -80,18 +80,20 @@
   $cat_config = "cat \"${tmp_config_path}\""
   $create_job = "${jenkins_cli} create-job \"${jobname}\""
   exec { "jenkins create-job ${jobname}":
-    command => "${cat_config} | ${create_job}",
-    creates => [$config_path, "${job_dir}/builds"],
+    command     => "${cat_config} | ${create_job}",
+    creates     => [$config_path, "${job_dir}/builds"],
+    environment => $jenkins::cli::cmd_environment,
   }
 
   if $replace {
     # Use Jenkins CLI to update the job if it already exists
     $update_job = "${jenkins_cli} update-job ${jobname}"
     exec { "jenkins update-job ${jobname}":
-      command => "${cat_config} | ${update_job}",
-      onlyif  => "test -e ${config_path}",
-      unless  => "${difftool} ${config_path} ${tmp_config_path}",
-      notify  => Exec['reload-jenkins'],
+      command     => "${cat_config} | ${update_job}",
+      onlyif      => "test -e ${config_path}",
+      unless      => "${difftool} ${config_path} ${tmp_config_path}",
+      notify      => Exec['reload-jenkins'],
+      environment => $jenkins::cli::cmd_environment,
     }
   }
 

diff --git a/spec/classes/jenkins_cli_spec.rb b/spec/classes/jenkins_cli_spec.rb
@@ -25,7 +25,7 @@
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{http://localhost:9000}) }
           it { is_expected.to contain_exec('reload-jenkins').with_command(%r{-i\s'/path/to/key'}) }
           it { is_expected.to contain_exec('reload-jenkins').that_requires('File[/path/to/libdir/jenkins-cli.jar]') }
-          it { is_expected.to contain_exec('safe-restart-jenkins') }
+          it { is_expected.to contain_exec('safe-restart-jenkins').with('environment' => nil) }
           it { is_expected.to contain_jenkins__sysconfig('HTTP_PORT').with_value('9000') }
 
           describe 'jenkins::cli' do
@@ -40,6 +40,28 @@
               end
             end
           end
+
+          context '$cli_password is defined' do
+            let(:params) do
+              {
+                version: '2.54',
+                libdir: '/path/to/libdir',
+                cli: true,
+                cli_remoting_free: true,
+                cli_username: 'user01',
+                cli_password: 'password01'
+              }
+            end
+
+            it do
+              is_expected.to contain_exec('safe-restart-jenkins').with(
+                'environment' => [
+                  'JENKINS_USER_ID=user01',
+                  'JENKINS_API_TOKEN=password01'
+                ]
+              )
+            end
+          end
         end
 
         context '$cli => false' do